CMMC Consulting Services

From CMMC Readiness Assessment through Compliance Monitoring & Maintenance, we help your organization identify security gaps, create an action plan for remediation, and establish ongoing compliance measures.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is the standard the government will utilize to mandate cybersecurity policies for contractors across the Defense Industrial Base (DIB). The CMMC framework includes a comprehensive set of processes and practices associated with achieving a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department of Defense that a company can adequately protect sensitive unclassified information to protect and secure our nation’s supply chain.

Any organization that contracts with the Department of Defense will require some level of the CMMC unless you are only selling commercial-off-the-shelf products.

The 5 Levels of CMMC

CMMC is broken down into five levels. Each level constitutes a greater level of cyber hygiene. Since each level is an enhancement in your cybersecurity posture, they also include a larger set of processes and practices at each level.

CMMC Level 1

Geared towards businesses that provide general supplies and services, CMMC Level 1 focuses on the protection of FCI if you do not store or process CUI or CDI. This CMMC level is considered Basic Cyber Hygiene and consists of 17 practices.

CMMC Level 2

While most CMMC requirements will fall under Levels 1 and 3, Level 2 is a transitional stage, serving as a progression from Level 1 to Level 3. It consists of a subset of the security requirements in the NIST 800-171, is considered Intermediate Cyber Hygiene, and consists of 72 practices.

CMMC Level 3

CMMC Level 3 focuses on the protection of CUI and covers all of the security requirements found in NIST 800-171, in addition to other standards and references. Level 3 is considered Good Cyber Hygiene and consists of 130 practices.

CMMC Level 4

CMMC Level 4 requires that organizations review and measure their practices for effectiveness. It focuses on protecting CUI and covers a subset of the enhanced security requirements from the Draft NIST 800-171B. Level 4 is considered to be Proactive in regards to Cyber Hygiene and consists of 156 practices.

CMMC Level 5

CMMC Level 5 requires an organization to optimize its process implementation across the business. Level 5 focuses on the protection of CUI and consists of 171 practices. Level 5 is considered a Sophisticated Cyber Hygiene.

CMMC Domains

The CMMC consists of 17 domains with each tier layering additional processes and practices for each domain.

  • Access Control

  • Asset Management

  • Audit & Accountability

  • Awareness & Training

  • Configuration Management

  • Identification & Authentication

  • Incident Response

  • Maintenance

  • Media Protection

  • Personnel Security

  • Physical Protection

  • Recovery

  • Risk Management

  • Security Assessment

  • Situational Awareness

  • System Communications Protection

  • System & Information Integrity

Why CMMC Matters

The concerns of the risk of cybercrime with government organizations are founded on the increased risk to national security. The CMMC is intended to assess and enhance the cybersecurity position of organizations that serve the Defense Sector. The risks around cybercrime are not just focused on the Defense Sector. All organizations should be focused on cybersecurity. Even if you are not engaging in government contracts, you should still have a Cybersecurity Assessment completed for your organization. The annual impact of cybercrime is over $600 Billion! Cybercrime is not just targeted towards enterprise organizations, it is heavily targeted towards small and medium businesses. Small businesses make up 54% of the Department of Defense contracts.

This report is a line-item scorecard showing the results of the implementation review of each of the 110 controls included in NIST (SP) 800-171, and the total score based on the Department of Defense’s official scoring rubric, with a starting maximum score of 110, and specified deductions made for non-implementation of a given control.

The System Security Plan is the foundation of NIST 800-171 compliance. It must contain the system boundary; operational environment; how security requirements are implemented; and the relationships with or connections to other systems.

POA&Ms describe why an organization cannot satisfy a requirement, the steps planned to address the shortcomings, and a date that the plan will be executed. You are required to document how you plan to correct deficiencies and reduce or eliminate vulnerabilities in your system. The POA&M will expose how many of the security requirements will need to be fully implemented. The POA&M is a requirement of the Interim Rule and includes information about security control implementation weaknesses and gaps found during the assessment. Our POA&M report is an Excel format and follows the DoD’s best practices template.

Executing your POA&M and achieving full compliance can be a full-time effort. However, completing the POA&M and implementing your remediation plan will ensure compliance with NIST and ensure you are prepared for CMMC.

Often overlooked, maintaining compliance with DoD security standards can be a complex undertaking, and requires a documented plan and sometimes daily activities. Once your assessment is done, plans to remediate any unfinished requirements are in place it’s time to move into the maintenance phase.

Why Do You Need A CMMC Consultant?

The CMMC Accreditation Body (CMMC AB) manages the Third-Party Assessor Organization (C3PAO). You will need to utilize a C3PAO in order to achieve your CMMC. The CMMC is heavily based on the NIST SP 800-171 which is a NIST Special Publication that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). The NIST Cybersecurity Framework outlines all the ways data needs to be protected to create a more secure organization. In order to make sure assets are adequately protected from malicious actors and code, the framework makes use of the same procedure each time. There will not be a self-assessment for the CMMC.

Abel Solutions offers a CMMC Readiness Assessment to prepare your organization for the certification process.

While authorized and accredited C3PAO’s are responsible for conducting the CMMC assessments, it is essential to note that you first should complete an internal readiness assessment. A readiness assessment will take you through the process for CMMC compliance before you submit your request to be certified. This process will help document your current security posture and action plan for compliance. This is also known as a Gap Analysis to determine how far off you are from compliance.  Our readiness assessment process consists of the following five steps:

Does your organization need help preparing for CMMC certification? Contact us today to learn more about our CMMC Readiness Assessment!